From: Dan Carpenter <dan.carpenter@oracle.com>
To: anil_ravindranath@pmc-sierra.com
Cc: linux-scsi@vger.kernel.org
Subject: re: [SCSI] pmcraid: PMC-Sierra MaxRAID driver to support 6Gb/s SAS RAID controller
Date: Fri, 29 Jan 2016 13:39:49 +0300 [thread overview]
Message-ID: <20160129103949.GA6359@mwanda> (raw)
Hello Anil Ravindranath,
The patch 89a368104150: "[SCSI] pmcraid: PMC-Sierra MaxRAID driver to
support 6Gb/s SAS RAID controller" from Aug 25, 2009, leads to the
following static checker warning:
drivers/scsi/pmcraid.c:3376 pmcraid_copy_sglist()
error: overflow detected. __copy_from_user() 'kaddr' is 4096 bytes. limit = '0-u32max'
drivers/scsi/pmcraid.c
3331 static int pmcraid_copy_sglist(
3332 struct pmcraid_sglist *sglist,
3333 unsigned long buffer,
3334 u32 len,
3335 int direction
3336 )
3337 {
3338 struct scatterlist *scatterlist;
3339 void *kaddr;
3340 int bsize_elem;
3341 int i;
3342 int rc = 0;
3343
3344 /* Determine the actual number of bytes per element */
3345 bsize_elem = PAGE_SIZE * (1 << sglist->order);
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
This sets bsize_elem to PAGE_SIZE or higher.
3346
3347 scatterlist = sglist->scatterlist;
3348
3349 for (i = 0; i < (len / bsize_elem); i++, buffer += bsize_elem) {
3350 struct page *page = sg_page(&scatterlist[i]);
3351
3352 kaddr = kmap(page);
3353 if (direction == DMA_TO_DEVICE)
3354 rc = __copy_from_user(kaddr,
3355 (void *)buffer,
3356 bsize_elem);
3357 else
3358 rc = __copy_to_user((void *)buffer, kaddr, bsize_elem);
3359
3360 kunmap(page);
3361
3362 if (rc) {
3363 pmcraid_err("failed to copy user data into sg list\n");
3364 return -EFAULT;
3365 }
3366
3367 scatterlist[i].length = bsize_elem;
3368 }
3369
3370 if (len % bsize_elem) {
3371 struct page *page = sg_page(&scatterlist[i]);
3372
3373 kaddr = kmap(page);
^^^^^^^^^^^^^^^^^^
This maps a single page. Apparently, on x86_64 it's a no-op? Likely
this code was not tested on a HIGHMEM system (x86_32 with more than 1G
of RAM).
3374
3375 if (direction == DMA_TO_DEVICE)
3376 rc = __copy_from_user(kaddr,
^^^^^
3377 (void *)buffer,
3378 len % bsize_elem);
^^^^^^^^^^^^^^^^^
We're copying more than PAGE_SIZE potentially.
Anyway, something odd is going on here, and I don't know what to do
about it.
3379 else
3380 rc = __copy_to_user((void *)buffer,
3381 kaddr,
3382 len % bsize_elem);
3383
3384 kunmap(page);
3385
3386 scatterlist[i].length = len % bsize_elem;
3387 }
regards,
dan carpenter
next reply other threads:[~2016-01-29 10:40 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-01-29 10:39 Dan Carpenter [this message]
-- strict thread matches above, loose matches on Subject: below --
2018-10-04 8:28 [SCSI] pmcraid: PMC-Sierra MaxRAID driver to support 6Gb/s SAS RAID controller Colin Ian King
2018-10-04 8:28 ` Colin Ian King
2018-10-04 11:48 ` John Garry
2018-10-04 11:48 ` John Garry
2015-01-06 9:53 Dan Carpenter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160129103949.GA6359@mwanda \
--to=dan.carpenter@oracle.com \
--cc=anil_ravindranath@pmc-sierra.com \
--cc=linux-scsi@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.